$1 408 000 USD

JULY 2021




"UniFarm is staking solution where the best projects in DeFi space come together to provide value to investors. The platform allows you to stake one token but earn multiple high-value tokens. So in addition to a great APY, your returns are automatically diversified as well." "No more searching & sifting. One piece to stake your holdings and earn Upto 250% APY. True Decentralisation. Your Tokens Stay with You. Stake any or all from $ORO, $MATIC, $REEF, $CNTR and $FRONT. Farm ALL the others. Complete Control over your assets. Unstake Anytime."


"ChainSwap is a bridge protocol that links the Ethereum and Binance Smart Chain (BSC) blockchains." "It supports Binance Smart Chain, Ethereum, Polygon, and Huobi Eco Chain." "The ChainSwap hacker identified and exploited a vulnerability in the ChainSwap smart contract. This vulnerability enabled them to steal and mint new tokens for various protocols that were using the bridge to trade across Ethereum and BSC."


Investigation by ChainSwap revealed "a bug in the token cross-chain quota code. The on-chain swap bridge quota is automatically increased by the signature node, which is intended to be more decentralized without manual control. However, due to a logical flaw in code, this led to an exploit by allowing invalid addresses which weren’t whitelisted to automatically increase the amount."


"The attacker managed to take control of the projects’ BSC contracts by exploiting ChainSwap. The attacker minted tokens directly to their address, then sold them on BSC’s most popular decentralized exchange, PancakeSwap." "[T]he attacker used the PancakeSwap exchange to convert the stolen tokens to WBNB, DAI, and other tokens."


"On Saturday (July 11, 2021), hackers took advantage of a vulnerability in the exchange’s smart contract code and stole the tokens of nearly a dozen projects, including Unifarm, Oropocket, Umbrella Network, Dafi, Razor, Antimatter and many others."


"According to Chainswap, only the smart contracts of the projects have been affected and not the wallets that interacted with the platform. The platform has also contended that funds from individual wallets are completely safe, and those suffering a hit from the breach are the ones who had stored crypto assets in wallets within the targeted exchanges. "


"The UniFarm project tweeted that Chainswap was under attack." "They have advised us to remove mobility, which we have already done on Uniswap and Pancake Swap, and we are asking the community to remove their mobility as well until this issue is resolved." The project also said it had locked down all of the hacker's UFarm tokens using developer rights, so the hacker could not sell them."


"Nothing changes in Unifarm as we go ahead with the staking as scheduled, unperturbed by the unscrupulous and condemnable act. Our contracts and tokens, except a few (1458053.939076000000008192 ORO and 18006434.862154000000012288 UFARM tokens on Ethereum chain), are unaffected and continue to be secure."


"Chainswap said it had already repurchased a small amount of the affected tokens from the market and returned the contract wallet. The rest will be paid out in full by the Chainswap vault." "ChainSwap team has now prepared and executed a compensation plan in consensus with the affected projects." "In order to bring everybody a more rigorous, efficient bridge, the next development model of ChainSwap will be adjusted to ensure maximum safety."


"For now, Chainswap has temporarily closed its cross-chain bridge." "ChainSwap worked with the police and OKEx to identify the attackers, and managed to negotiate the recovery of Corra and Rai tokens. An initial email with the attackers suggested the attackers return $1 million."


“Sorry for the trouble, you sound genuinely like great people but money is money,” the attackers of the earlier exploit told ChainSwap.


"ChainSwap is excited to announce that we have successfully integrated with Anyswap and Chainswap bridge is now live. We thank our community for its patience during the last few weeks."


"To set the seal on trustworthiness, [Unifarm] will be redeploying the contract and new tokens will be published under a more structured process with a turnaround time of 48 hours." "While Oropocket and UniFarm were the least-affected projects in the recent hack suffered by Chainswap, we have taken a series of preventive steps to keep the users’ trustworthiness intact. The investors can now exchange their old $ORO and $UFARM tokens with the new ones that have been published to avoid fraudulence." "Once your interaction is approved with a new contract, you can now swap your old UFarm or ORO tokens with new tokens." "It will take a couple of seconds to swap your old tokens with new ones and also confirm the Metamask notification prompted alongside."


"[T]he $UFARM tokens on the Ethereum chain were locked so that [the hacker] could not sell." "To enhance the safety of crypto-assets and tokens, we have been working on our assets bridge to swap tokens between Ethereum and BSC, which will be extensively tested and audited to ensure a hassle-free experience. Once the bridge is launched, we will not be dependent on Chainswap for token swapping."

UniFarm is a staking protocol offering high yield by diversifying the investment across multiple protocols. Their token used ChainSwap to exist on multiple blockchains, which required some funds to be stored in the smart contract hot wallet.


The ChainSwap bridge was hacked, and the attacker was able to obtain some tokens, which were sold. The UniFarm team managed to freeze the hacker's tokens and provided a swap for affected users from the old token to a new token they created.


Theoretically, decentralized finance will eventually result in hackers having exploited every vulnerability that exists. However, it's impossible to know when that will occur and if a contract is truly secure, as opposed to there still being an exploit that just hasn't been noticed yet. For any complex smart contract, it's impossible to prove security and plenty of fully audited contracts have been exploited.


In this situation, it looks like it will be ultimately reimbursed. Platforms should, generally, be prepared for the full loss of all assets stored in hot wallets (including smart contracts). Assets that do not need to be accessed quickly should be stored securely in a simple offline multi-signature wallet.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.